Firewall Meets MFA: Secure Access at the Network Level

Nov 29, 2017 | by Tony Karam

What do you get when you cross a next-generation firewall with flexible multi-factor authentication (MFA)? The kind of strong protection you need when you have cloud, mobile and the internet of things (IoT) all enabling more collaboration and innovation, but also creating more ways for intruders to get into your private network resources. The increased attack surface places some tough demands on organizations to increase cybersecurity. Let’s take a look at what’s behind the challenge, and how an integrated-technologies approach can make it much more manageable.

The Challenge: Extending Authentication Everywhere

Multi-factor authentication is a powerful tool for enforcing secure access across an organization. However, applying it consistently everywhere to everything—legacy applications, IoT environments and isolated networks—is a pretty tall order. What happens when legacy apps and IoT devices don’t support standards-based authentication protocols, as is often the case? Updating legacy apps with SAML or RADIUS protocols to support new authentication methods isn’t easy. It may even be downright impossible to update IoT devices if they weren’t developed in-house by your organization (which they rarely are).

There’s also the challenge of extending protection to isolated networks. It’s not unusual for an organization to segment sensitive networks from other internet-connected networks. But if you have a cloud-based identity management service, how are you going to connect the applications in the segmented networks to the identity management service to verify credentials?

The Solution: Integrated Firewall and Multi-Factor Authentication

If you can put a firewall together with multi-factor authentication, you can enforce authentication at the network level before access to applications and systems is granted. This eliminates the challenge of updating the affected applications and systems themselvesasthe firewall now acts as the authentication gateway for access requests.

For this to work, you need a firewall and a multi-factor authentication solution that are interoperable, so that the firewall can draw on the authentication capabilities to challenge access requests when appropriate and thwart attackers who are trying to use stolen credentials to gain access. Enforcing secure access at the network level also enables you to extend authentication to isolated networks, where applications wouldn’t ordinarily be able to connect to identity management systems.

Moving from Custom Development to Collaboration

RSA and Palo Alto Networks® have been working toward this collaborative solution, recently announcing interoperability between Palo Alto Networks Next-Generation Firewall and RSA SecurID® Access. The idea behind the effort is to enable our joint customers to secure legacy apps and IoT devices, as well as other existing systems including mainframe servers, networking equipment, custom apps, SCADA systems and much more from credential abuse.

Collaborations like this are part of a larger initiative to make RSA multi-factor authentication easily consumable by a variety of access-related partner applications. These technology integrations help organizations enforce authentication at the point of access, providing greater visibility and security more efficiently. To learn more, read the latest news about RSA’s expanding technology ecosystem.

Author: Tony Karam

Category: RSA Point of View

Keywords: Identity & Access Management, Identity Governance and Access, Authentication